Saturday, September 20, 2014

A growing technique being used especially by pill spammers is taking advantage of a trick abusing Google's URL service.

In yesterday's spam review, we had 4,778 messages that contained this new form of Google URL.

The spammer's objective is to mask the actual location of their spam-advertised domain by advertising a link to Google. Clicking on the Google link is not a "search" but rather a "referral" similar to how Google tracks which advertisement hoster should get credit for the advertisement that has been clicked on. Here's an example of one of the URLs (with a line feed splitting the URL after the "q=".

What you see in the part after the "q=" is an ASCII encoded string, mixed with regular characters. The portion after the "usg=" is what we would normally think of as the tracking ID for an advertisement, and may, in fact, being used in that way, although we do not have confirmation of that yet. Let's decode this one: